Cyber Incident Victim: Tim Hortons

The incident impacting Tim Hortons franchisees began on or around February 27, 2018, when cash registers at multiple locations started crashing due to a suspected computer virus. The affected point-of-sale (PoS) systems ran on the outdated Windows XP operating system, leading to widespread operational disruptions. Initial reports indicated outages at fewer than 100 restaurants, but the problem escalated rapidly throughout the week, ultimately affecting over 1,000 locations across Canada—representing nearly a quarter of the chain's national footprint. Stores experienced varying levels of downtime, with some forced to close temporarily while attempting system repairs and others shutting down permanently due to unresolved technical issues. Restaurant Brands Inc. (RBI), Tim Hortons' parent company and operator of the centralized PoS infrastructure, maintained days of public silence as the crisis unfolded, leaving franchisees without official guidance or support during peak business hours.

Franchise owners organized through the Great White North Franchise Association to demand accountability from RBI, submitting a formal letter that outlined financial losses from employee wages, spoiled inventory, and missed sales opportunities during the outages. The association gave RBI until that Friday to arrange compensation discussions while criticizing the parent company's "deficient IT practices" and calling for immediate system upgrades. On March 2, a Tim Hortons spokesperson finally acknowledged the situation, confirming collaboration with an external vendor to address the virus-related crashes but offering no technical details about the malware or root cause. While the company asserted no customer payment card data was compromised, this claim remained unverified given the early stage of incident analysis. The PoS disruptions occurred against a backdrop of existing tensions between franchisees and RBI regarding operational decisions unrelated to the cybersecurity event.